Location services: The security risks of oversharing

The vulnerability of Web applications and the sensitive nature of personal location information will prove a disasterous combination

As soon as a new technology gets traction, smart criminals figure out a way to misapply it. And one of the hottest features in the mobile world, location awareness, is next in line for exploitation.

Services like Foursquare, Loopt, and Gowalla, which combine user-generated reviews with social networking, provide particularly attractive targets. The idea is to use your mobile device to let your followers know in real time what cool places you're patronizing and the excellent food you're eating. Stores and shop owners love it -- it's no-cost marketing in line with the current zeitgeist of user-driven info from people you trust.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

A new report from the company uTest points out the reliability and security/privacy concerns these applications raise. A contest involving 300 testers found close to 900 bugs in three leading location/check-in services. That's not surprising, given recent data on the Web application vulnerabilities.

In the report, 80 percent of the testers said that they were concerned about their privacy. They should be. As the recent iPad-related hack of AT&T shows, mobile devices are only as strong as their weakest link -- or their weakest partner's weakest link. The confluence of poorly protected Web apps and the goldmine of geolocation and personal information will be too rich to resist.

Here are some possible hacking or real-world crime scenarios in which data from Web-based platforms like Foursquare and Gowalla could play a part:

  • Targeted social engineering attacks that employ real-time or historical geolocation data. For example, an employee at a leading tech/pharma/defense contractor reveals, via Foursquare, his or her regular visits to the local coffee shop, where s/he is targeted by social engineers looking to gain access to the corporate network, or the victim of a real-world theft (laptop, mobile device) that yields sensitive data.
  • Stalkers, estranged spouses/lovers monitor check-in services and use them to confront the object of their obsession. Expect to see these kinds of services popping up in court proceedings, as Facebook recently has.
  • Malware that leverages preference data from check-in services to social engineer targets
  • Malicious hackers use location data to launch real-time attacks against other check-in service users.

These days certain industry leaders like to proclaim that privacy is an outdated concept. But criminal abuse of location services to pursue people, not just their data, may give privacy advocates the most potent ammunition they've had in years.

This article, "Location services: The security implications of oversharing," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.